Armorer Guard Semantic Classifier
This repository contains the lightweight local semantic classifier artifacts used by Armorer Guard.
License
These model artifacts are released under the MIT License. See LICENSE.md for
the full license text.
Armorer Guard is a local-first scanner for agent inputs, model outputs, and tool calls. The classifier is a TF-IDF linear model trained on Armorer-owned synthetic development data for these semantic categories:
- prompt injection
- system prompt extraction
- data exfiltration
- sensitive data request
- safety bypass
- destructive command
Files
semantic_classifier_native.tsv- Rust-native exported coefficients used by the Armorer Guard binary.semantic_classifier_profile_native.tsv- Rust-native profile fallback coefficients used by the higher-recall benchmark/strict profiles.semantic_classifier.onnx- ONNX export of the selected model.semantic_classifier.joblib- scikit-learn training artifact for inspection and reproducibility.labels.json- classifier label order.metrics.json- validation metrics for the selected experiment.
Intended Use
Use these artifacts with Armorer Guard or compatible local scanners that need a small, no-network semantic lane for agent safety classification. The model is not a hosted API and does not require inference calls to Hugging Face.
Limitations
These are lightweight TF-IDF linear classifiers, not transformer models. The
default scanner uses the word-ngram model; the benchmark profile can add a
char-wb fallback model for higher recall. The current profile fallback,
char-wb-public-distill-30k-v1, is trained from public benchmark train splits,
synthetic benign controls, and Armorer-owned hard-negative/profile rows; report
heldout metrics separately from full-corpus public benchmark checks. These
models are intended as lanes in a defense-in-depth scanner alongside
deterministic credential detection, policy checks, and context-aware rules.
The classifier can produce false positives on security-adjacent benign text and false negatives on novel obfuscations. Do not use it as the only enforcement mechanism for high-risk systems.